eMule VeryCD Mod Clients unmasked using a Community own Dedicated Communication Server for internal source exchange

Security alert

VeryCd community Mods unmasked

In VeryCD Mods are hidden Community Source Exchange Server embeded which search Comm own sources between VC clients and identify the user by IP/VeryCD mod Build, version and requested files to download/share (wrong implementation of metalink features on webserver as source finder and client version/mod access tracer)

The VC mods are connected with the comm own background server and trace all user activities include ed2k files of the emule mod user

In later source codes UrlSrcFromSvrSocket.cpp embedded which validates the genuine client version from MetaLinkQuerySocket.cpp

VC Mods are traced thrue this comm own server.

Tests shown as soon changing the mod version in source code, the comm exchange server reject the mod.

Verbose window in eMule Client from webserver:

13.01.2009 01:00:44: Óë·þÎñÆ÷ client.stat.verycd.com Á¬½Ó³É¹¦£¬×¼±¸·¢ËÍ:
13.01.2009 01:00:44: GET /dl/e7733767b1c83004f39f42e092ec19e5729485312/[%E6%B4%AA%E5%A0%A1%E5%8E%BF].Humboldt.County.2008.DVDRip.XviD-VoMiT.avi/start HTTP/1.0
Host: client.stat.verycd.com
Accept: */*


13.01.2009 01:00:45: È¡/dl/e7733767b1c83004f39f42e092ec19e5729485312/[%%E6%%B4%%AA%%E5%%A0%%A1%%E5%%8E%%BF].Humboldt.County.2008.DVDRip.XviD-VoMiT.avi/startʱ£¬·µ»Ø½á¹û£º
13.01.2009 01:00:45: HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2009 18:00:45 GMT
Server: Apache
Expires: Mon, 12 Jan 2009 18:00:45 GMT
Last-Modified: Mon, 12 Jan 2009 18:00:45 GMT
Cache-Control: private
Pragma: Pragma
Vary: Accept-Encoding
Content-Length: 2254
Content-Type: text/html
X-Cache: MISS from httpd-4.verycd.com
Via: 1.0 httpd-4.verycd.com:80 (squid/2.6.STABLE22)
Connection: close


< ! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd " >
< html xmlns = " http://www.w3.org/1999/xhtml " >

< head >
< meta http-equiv=" Content-Type " content= " text/html ; charset= utf-8 " / >
< title >分享互�网 - �务器超载 :'(...< / title >
< link href= " http://doc.verycd.com/stylesheet/error.css " rel=" stylesheet " type=" text/css " / >
< /head >
< body >
< table width="720"  border="0" cellspacing="0" cellpadding="0" >
< tr >
< td >< a href=" http://www
13.01.2009 01:00:45: Receive UrlSources from server (http response code = 500)
13.01.2009 01:00:45: < HTTP/1.0 500 Internal Server Error
13.01.2009 01:00:45: < Date: Mon, 12 Jan 2009 18:00:45 GMT
13.01.2009 01:00:45: < Server: Apache
13.01.2009 01:00:45: < Expires: Mon, 12 Jan 2009 18:00:45 GMT
13.01.2009 01:00:45: < Last-Modified: Mon, 12 Jan 2009 18:00:45 GMT
13.01.2009 01:00:45: < Cache-Control: private
13.01.2009 01:00:45: < Pragma: Pragma
13.01.2009 01:00:45: < Vary: Accept-Encoding
13.01.2009 01:00:45: < Content-Length: 2254
13.01.2009 01:00:45: < Content-Type: text/html
13.01.2009 01:00:45: < X-Cache: MISS from httpd-4.verycd.com
13.01.2009 01:00:45: < Via: 1.0 httpd-4.verycd.com:80 (squid/2.6.STABLE22)
13.01.2009 01:00:45: < Connection: close
13.01.2009 01:00:45: Óë·þÎñÆ÷ meta.verycd.com Á¬½Ó³É¹¦£¬×¼±¸·¢ËÍ:
13.01.2009 01:00:45: GET /app/emule/metalink/e7733767b1c83004f39f42e092ec19e5729485312/%5B%25E6%25B4%25AA%25E5%25A0%25A1%25E5%258E%25BF%5D.Humboldt.County.2008.DVDRip.XviD-VoMiT.avi.metalink HTTP/1.0
Host: meta.verycd.com
Accept: */*


13.01.2009 01:00:45: È¡/app/emule/metalink/e7733767b1c83004f39f42e092ec19e5729485312/%%5B%%25E6%%25B4%%25AA%%25E5%%25A0%%25A1%%25E5%%258E%%25BF%%5D.Humboldt.County.2008.DVDRip.XviD-VoMiT.avi.metalinkʱ£¬·µ»Ø½á¹û£º
13.01.2009 01:00:45: HTTP/1.0 404 Not Found
Date: Mon, 12 Jan 2009 18:00:45 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 405
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from httpd-29.verycd.com
Via: 1.0 httpd-29.verycd.com:80 (squid/2.6.STABLE20)
Connection: close

< ! DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0// EN " >
< html >< head >
< title >404 Not Found< /title >
< /head >< body >
< h1 >Not Found< /h1 >
< p >The requested URL /app/emule/metalink/e7733767b1c83004f39f42e092ec19e5729485312/[1.457755E-3116B40X1.3F5480P-1015A2.798522E-29350X1.1FFF00P-97200X1.0282D0P-101612.608646E-30853.552665E-306BF].Humboldt.County.2008.DVDRip.XviD-VoMiT.avi.metalink was not found on this server.< /p >
< hr >
< address >Apache Server at meta.verycd.com Port 80< /address >
< /body >< /html >

13.01.2009 01:00:45: Receive UrlSources from server (http response code = 404)
13.01.2009 01:00:45: < HTTP/1.0 404 Not Found
13.01.2009 01:00:45: < Date: Mon, 12 Jan 2009 18:00:45 GMT
13.01.2009 01:00:45: < Server: Apache
13.01.2009 01:00:45: < Vary: Accept-Encoding
13.01.2009 01:00:45: < Content-Length: 405
13.01.2009 01:00:45: < Content-Type: text/html; charset=iso-8859-1
13.01.2009 01:00:45: < X-Cache: MISS from httpd-29.verycd.com
13.01.2009 01:00:45: < Via: 1.0 httpd-29.verycd.com:80 (squid/2.6.STABLE20)
13.01.2009 01:00:45: < Connection: close

A code snip sample in c++ from latest VeryCD Mod:

CStringA CUrlSrcGetFromSvrSocket::GetServer()
{
 return "client.stat.verycd.com";
}

CStringA CUrlSrcGetFromSvrSocket::GetUrlPath()
{
 if(m_strUrlPath != "")
  return m_strUrlPath;

 if (::IsBadReadPtr(m_pMgr, sizeof(CUrlSrcFromSvrMgr)))
  return "";

 CStringA m_strUrlPath;
 CStringA strHash;
 CStringA strSize;
 CStringA strFileName;
 CStringA strEncodedFileName;

 if( NULL==m_pMgr->m_pAssocPartFile )
  return "";

 try
 {
  // Hash
  strHash = md4str(m_pMgr->m_pAssocPartFile->GetFileHash());
  strHash.MakeLower();  //±ØÐ붼ΪСд¡£

  // Size
  char szSize[1024];
  _i64toa(m_pMgr->m_pAssocPartFile->GetFileSize(), szSize,10);
  strSize = szSize;

  // FileName
  strEncodedFileName = EncodeUrlUtf8(m_pMgr->m_pAssocPartFile->GetFileName());

  if (m_bStart)
   m_strUrlPath.Format("/dl/%s%s/%s/start", strHash, strSize, strEncodedFileName);
  else
   m_strUrlPath.Format("/dl/%s%s/%s/finished", strHash, strSize, strEncodedFileName);

  return m_strUrlPath;
 }
 catch ( ... ) 
 {
  return "";

...

bool CUrlSrcGetFromSvrSocket::ProcessHttpResponse()
{
 if (m_bStart)
  return ProcessHttpResponse_Start();
 else
  return ProcessHttpResponse_Finished();
}

bool CUrlSrcGetFromSvrSocket::ProcessHttpResponseBody(const BYTE* pucData, UINT size)
{
 if (m_bStart)
  return ProcessHttpResponseBody_Start(pucData, size);
 else
  return ProcessHttpResponseBody_Finished(pucData, size);
}

bool CUrlSrcGetFromSvrSocket::ProcessHttpResponse_Start()
{
 int iMajorVer, iMinorVer;
 int iResponseCode;
 char szResponsePhrase[1024];
 sscanf(m_astrHttpHeaders[0], "HTTP/%d.%d %d %s", &iMajorVer, &iMinorVer, &iResponseCode, szResponsePhrase);

 if (thePrefs.GetVerbose())
  AddDebugLogLine(false, _T("Receive UrlSources from server (http response code = %d)"), iResponseCode);

 if (200 != iResponseCode)
  return false;

 return true;
}

The callhome url is: client.stat.verycd.com and redirect to meta.verycd.com

It give by original VC mods sources return in the background.

It works like a super source boost but can collect logs of all user activities on p2p network.

No wonder why VeryCd Mod to VeryCd mod get faster and more sources as using other eMule mod or official emule and download from the community mods. It works similar as Adunanza Italian eMule mod with a own kad prot.

Here some mods whitch spoof the error using original Modstring from VeryCD build September 2008:

N E W - CHECKED BUILDS [compiled using ikke's revisit src and compiler setting suggestion]:
compatible version: emule.exe 6.27 MB

Older Builds:
can be incompatible on some Windows OS or need C+ Runtime modules
emule.exe 5.42 MB
emule-newer48.exe 5.42 MB
emule[CHN][VeryCD]yourname-eMule v0.48a 5.42 MB

user made compatible builds in comment to this post


Player feature is now enabled (duno what player must be in folder mediaplayer from Playmule ??? )

---

Related Posts by Categories